Major vulnerability in Apple's macOS provides System Administrator access with few instruc...

A new security flaw in macOS High Sierra has been discovered by researchers -- one that can grant users access to the system administrator account on a target machine, enabling access to the account without requiring a password.

Posted on Twitter by software engineer Lemi Orhan Ergin, the vulnerability requires relatively few steps to accomplish, and takes advantage of a section within the System Preferences menu. AppleInsider is not publishing the full set of instructions for the sake of security, but staff tests have confirmed it to be functional, and extremely simple to follow.

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

Once the few steps were performed, AppleInsider staff discovered the "root" System Administrator account on the Mac mini with macOS 10.13.1 being used for testing was enabled, despite having been previously disabled. After disabling the account, following the same instructions re-enabled the account.

The flaw exists in all versions of High Sierra, including Beta 5 that was released earlier on Tuesday.

Granting access to the System Administrator account allows users free reign to the macOS desktop, including the ability to view all files stored on the computer in all user accounts, edit the credentials of other users, and alter other settings on the device.

It is unclear if Apple was advised of the security issue before Ergin's Twitter disclosure, but his query to Apple Support asks "Are you aware of it @Apple?" suggesting no such advance warning was made.

While a major vulnerability, it still requires access to the computer either locally or with a Remote Access connection. It also needs an authorized user to be logged in to generate the Root account with no password. Disabling the Guest account provides a level of protection, by requiring users to have a presumably secure password to access the computer in the first place.

In a support page, Apple says that the Root user is not intended for routine use, with the user getting privileges that allow changes to files that are required by the Mac.

The ultimate protection against the exploit is to disable Guest access. This can be accomplished by opening up System Preferences, and turning off Allow guests to log in to this computer

To disable the Root user, select System Preferences, then click Users & Groups.

Click on the lock icon, and authenticate with an administrator's name and password. Click Login Options

Click Join or Edit.

Click Open Directory Utility, and click on the lock icon to authenticate. Pull down the Edit menu, and select Disable Root User that will be in the same place as Enable Root User.

There is no way to generate the Root account from the login screen. After disabling the Root user, unless the procedure is followed again, the computer is secured.

Alternatively, from the Directory Utility, the Root account password can be changed. This will prevent the exploit from working again but can have unintended consequences, and the invocation of Root credential entry at unexpected times.

Update: Apple subsequently issued a statement to iMore

"We are working on a software update to address the issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012M. If a Root User is already enabled, to ensure a black password is not set, please follow the instructions from the "Change the root password" section.

Comments

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

The original guy that found this should have quietly notified Apple through the official channels for reporting vulnerabilities. If Apple had not responded in a fair amount of time - then go public. He has just exposed a lot of people to having information stolen.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

So that means you can 1) disable the Guest User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?

Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

If you want to keep Guest active, your #2 there is the only way to go.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?

Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

If you want to keep Guest active, your #2 there is the only way to go.

Does this in any way affect rebooting a machine into Single User Mode? I've seen nothing about it, but this security issue makes me wonder if that could also be an entry point.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

So taht means you can 1) Disable the Guest User and Disable Root User, or 2) keep keep Guest User active and change the Root User password to keep this security error at bay?

Yup, either works. With 1, if you have a rogue user with a login and password, the Root account can be re-generated, though.

If you want to keep Guest active, your #2 there is the only way to go.

Does this in any way affect rebooting a machine into Single User Mode? I've seen nothing about it, but this security issue makes me wonder if that could also be an entry point.

We're still working on it, but provisionally, no. However, Root can still be generated.

You could have put "Local" in the headline. I'm sure I'm not the only one here looking after a group of Mac for business or family who'd really appreciate direct triage information in the headline.

Saying "Local Root vulnerability macOS High Sierra discovered". Would have let me read the article once knowing exactly how many machines are of concern and work out action needed instead of having to skim read first to pick up these important facts then read again properly to work out action.

Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

Hilarious! We’re arguing about how this actually works and what to do about it. So many experts, so little expertise to confuse the issue and tie it up in knots. I decided to use iMore’s Rene Ritchie’s advice to enable root, set a strong password, and leave root enabled until the patch is made, probably in 10.13.2.

That works too. DO NOT forget the password. In the meantime, some system operations may bug you for it, when you wouldn't ordinarily expect to enter it.

https://news.ycombinator.com/item?id=15800676 says "You're enabling the root user EVERY time you use this vulnerability. Even if you disable the root user in Directory Utility, logging in with root and no password will re-enable the root user."

You really need to set a password for "root" (using the same Directory Utility tool & nearby menu). After Apple releases a fix, remember to come back and disable the root user.

Sure it does. Don't execute the flaw again, and prevent other users from doing so by disabling Guest access, and the Root user with no password won't appear again. That said, we've inserted more information about changing the root user's password -- which can have unintended consequences, especially if you forget the password.

That only works so long as no one else manages to get access to your Mac while it is either unlocked or sitting at the login screen. If your Mac doesn't have FileVault enabled, rebooting it will suffice. If you display a list of users at login, clicking "other" will let you enter "root" and no password.

The vulnerability can also be triggered via an AppleScript. If someone manages to get you to run the script, it will trigger the flaw.

Disabling root is not a fix. Changing root's password is a fix.

OK, I've disabled Guest Account and I have File Vault 2 enabled (both already the status quo before any of these cropped up), and then I made sure that Root User access was Disabled (no Root User password change attempted).

Then I logged out of my Mac and typed in Root as the username with no password and nothing happened. Based on what your post says, shouldn't that have logged me in? If not, what can I type in to verify that it will bypass by system?